3
1
My SSH config file is set up to use a specific IdentityFile in the Host *
section as the default key. For one particular host, I want to offer a different key (and only that key, never the default key).
My ~/.ssh/config file looks like this:
Host specialhost
HostName specialhostname.mydomain.com
IdentityFile %d/.ssh/special-key
LogLevel debug
IdentitiesOnly yes
Host *
IdentityFile %d/.ssh/regular-key
IdentitiesOnly yes
Regardless of what I do, or regardless of the order of sections in the config file, my SSH client (OS X OpenSSH_6.2p2) offers the 'regular-key' first (which the server accepts, which is not what I wanted).
The ssh_config man page states the following about IdentityFile
:
It is possible to have multiple identity files specified in configuration files; all these identities will be tried in sequence.
The "sequence" it refers to is unclear to me, since the IdentityFile listed in the Host *
section is always offered first, even if "specialhost" is listed prior to it (as in the example above). The IdentitiesOnly
trick suggested here only seems to be relevant to keys offered by ssh-agent. A few other similar questions have not yielded any answers.
I want to leave the regular-key in the Host *
section because I use that key with dozens of other hosts and I don't want to duplicate the IdentityFile
in every host entry.
Is there any way to force SSH to offer only the 'special-key' using just the SSH config (and without copying my IdentityFile directives to every other host)? I can see how I might achieve this by taking the keys out of the Host *
section, adding them to the agent, and then using IdentitiesOnly yes
for specialhost, but I would really prefer to avoid using ssh-agent unless there is no other way.
A little clarification: you much specify a hostname to exclude. If you use an alias with a
Host
set, the alias won't work as an exclusion. – Xan – 2019-02-13T14:00:44.870This did it. My ssh client was matching
Host *
in all cases, and always picking it's IdentityFile regardless of what I tried. Note: you can also match a wildcard, if needed, e.g.:Host * !*.example.com
– aexl – 2019-10-02T08:34:06.897